Software Audits: Are You Ready?

Study reveals more than half of companies have faced software audits within the past two years. Microsoft, Oracle, SAP, and IBM top list of auditors.

7 Super Certifications For IT Pros

(Click image for larger view and slideshow.)

The five vendors mostly likely to audit corporate software licenses are Microsoft, Adobe, Autodesk, Oracle, and SAP, in that order. Among organizations with 10,000 or more employees, IBM took the number-four spot, bumping Oracle to number five, and moving SAP off the top-five list.

These are among the findings of the "2013 Software Audit Industry Report," a survey released last month by Express Metrix, a provider of software asset management software. Based on interviews with 178 senior IT managers at North American companies with 500 or more employees, the study found that 53% of respondent firms have been audited within the past two years. Companies with 5,000 to 9,999 employees were the most audited, followed by firms with 10,000 to 25,000 employees.

Audits are inquiries (and sometimes systems-monitoring investigations) to ensure that every copy of installed software is actually licensed. Anecdotal reports indicate that audits are on the upswing. Express Metrix launched its survey to create an annual benchmark that will yield reliable statistics on trends. Auditing used to be carried out primarily by the vendor-funded Business Software Alliance (BSA), but that's changing, according to Dawson Stoops, a co-founder and VP of sales at Express Metrix.

"The BSA is still doing audits, but many vendors, because of their need to drive revenue, have taken on the task of doing audits themselves," Stoops said. "Now that industry groups and individual vendors are both auditing, we're seeing more activity."

The top-five list shouldn't be surprising in that these are among the leading software suppliers around the globe, and more customers translates into more audits. Rounding out the survey's top-10 list of most-frequent auditors are McAfee, Attachmate, VMware, and Symantec. With these and other prominent suppliers of software now auditing, the question isn't will you face an audit, but when and will you be ready?

Tracking software installed versus software licensed may sound straightforward, but when companies have hundreds, thousands, or tens of thousands of users, things can get complicated. Carolina Container, a High Point, N.C.-based packaging company, was audited by Microsoft last year, and JC Coleman, the company's network administrator said "it caused a lot of headaches."

"I had to come up with real numbers, real quick -- for every operating system, every Office suite, every SQL Server, Visio, PowerPoint -- everything," said Coleman.

The company's calculations were complicated by the fact that Carolina Container makes extensive use of terminal services (also known as remote desktop services). "Over half of our environment is thin client, so I couldn't scan anything to know who had what access to what software," Coleman explained -- an observation that hints that virtualization and private-cloud delivery might also complicate licensing matters.

Microsoft was ultimately satisfied with the numbers that Carolina Container reported and the company had only a minor increase in licensing fees. The biggest hit, according to Coleman, was the time it took him and his staff to come up with accurate numbers. Vowing not to repeat that experience, Coleman said he has since licensed Express Metrix's software in part because it can track software usage through terminal services as well as conventional installations.

If companies track software and licenses at all, they often do it with a mix of spreadsheets, file cabinets, and purchasing systems, according to Stoops. But that leads to a reactive approach when vendors give notice that they plan to audit -- a right they have stipulated in most every software licensing agreement. Stoops said software asset management (SAM) systems monitor actual software usage and enable companies to take a proactive approach that might help them eliminate shelfware and reduce license and maintenance fees.

"Our software gives them an inventory of what they have, reconciles that with what they own, and, over time, gives them detailed insight into what's actually being used," said Stoops. "So when a vendor says, 'We're going to do an audit in two weeks,' the CIO can be ready and say, 'Great, bring it on.'"

With the rise of auditing, the entire SAM category -- with vendors including Express Metrix, Flexera, and Snow Software -- has gotten a lift. Larger organizations tend to use IT asset management systems to track software as well as other intellectual property. Indeed, Stoops said Express Metrix licenses its technology to IT asset management system providers including IBM and BMC.

While SAM software introduces yet another piece of software that has to be licensed and tracked, Stoops described it as "audit insurance" and said it typically costs $10 to $20 per user. A "freemium" version of the software, introduced last week, inventories software on up to 1,000 machines, but you'll have to buy the paid version to get software usage tracking and advanced features for tracking software licenses.

Doug Henschen is executive editor of InformationWeek, where he covers the intersection of enterprise applications with information management, business intelligence, big data, and analytics. He previously served as editor-in-chief of Intelligent Enterprise, editor-in-chief of Transform magazine, and executive editor at DM News.

Solid state alone can't solve your volume and performance problem. Think scale-out, virtualization, and cloud. Find out more about the 2014 State of Enterprise Storage Survey results in the new issue of InformationWeek Tech Digest.

Today SAM tools go further than just an inventory. They've become smarter and use NLP and AI technologies, for example Binadox. They are able to analyze license texts, find the most critical elements and compare different licenses. Moreover, they also monitor SAAS subscriptions and usage and track software usage. Today SAM tools play the key role in Software Asset Management and save businesses lots of recources.

If you install it, you owe for it. Any installation creates a constructive liability.

Copyright Law - Title 17 of U.S. Code.

Organizations should, therefore, consider the business risks of uncontrolled installation of software, and the resulting, perhaps unplanned, liabilities. And, create controls appropriate to the risk.

We see companies that have gotten a single true-up settlement, with a single supplier, of 23% of the total IT budget. And, then, the other suppliers also seem to find out. If in an industry with high IT costs, say 7% - 8% of revenue, this can result in a unplanned liability in the 3% to 4% of overall revenue. Close to a reportable event on annual report. And, certainly, a huge unplanned expenditure.

Where companies are most at risk seems, these days, to be the uncontrolled use of "Cloud" and copies of platforms to the "Cloud" that create significant liability. A single Virtual platform can contain $30k or more of software - for which the company is instantly liable, most often without preventative controls.

@Lorna...Whenever I read about VDI or it was brought up I could never get a clear answer on licensing. I think you are correct, there is a lot of confusion over that topic. I am under the impression it is very costly to implement VDI. That may be incorrect because I never got that clear answer. I look forward to reading your survey.

Seems to me that audit provisions would be something a large company could strike from the contract by threatening to go with a competitor's software. If that doesn't work, there's always open-source...

Rob, Software vendors have the authority to audit their customers under the terms and conditions of the EULA (End User License Agreement) that the customer agrees to. The EULA typically spells out the length of time required for audit notification, and how the audit will be conducted. Most companies accept the audit provision terms without understanding or preparing for the repercussions. The audit is typically conducted onsite by a third part firm hired by the ISV.

Easier to control piracy with the SaaS model, too. No suprise that vendors are doing more of their own auditing these days. It's a good conversation starter to get customers to move to from traditional licensing to SaaS.

The point about virtualization/private-cloud complicating licensing is also key - enterprise software vendors definitely have not kept up with use of server virtualization, never mind desktop. In fact, I think that licensing confusion is one big reason VDI never took off. IT had to pay for the VDI software plus had the same licensing costs.

I'm hoping to do a survey and report on this in 2014, get IT's side of the story.

The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.